[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#4756) IPv6 Addresses are not supported in ACL peername
ando@sys-net.it wrote:
> Damon.Groenveld@ca.com wrote:
>> Given that the code (in aclparse.c) calls inet_addr() with the
>> peername.ip parameter, I can't see how it could will work with IPv6.
>>
>> The only possible workaround is using a regex instead of ip type which
>> by passes the inet_addr() call.
>>
>> I raised it as a bug since the latest version (as far as I can tell) is
>> meant to support IPv6 and there is no way that peername.ip does and
>> there isn't an alternative.
>>
> The peername.ip was designed with IPv4 in mind. A patch to support IPv6
> in ACLs would be welcome, though. In the meanwhile, I believe a regex
> style would be the solution, but note that I have no idea of how IPv6
> would be stringified in the peername. Note that the whole issue is of
> questionable relevance, since IP-based access checking is not considered
> trustable.
Yes, peername.regex works fine.
Currently IPv6 peernames are reported as colon-separated hex octets
followed by a space, then the port number: "xxxx:....:zzzz ppppp". It
strikes me that we should be using URL format instead, which uses square
brackets: "[xxxx:....:zzzz]:ppppp".
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/